Wireless and Network Security Integration Design Guide Cisco Validated Design November 24, 2008 Americas Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Customer Order Number: Text Part Number: OL-18316-01 Cisco Validated Design The Cisco Validated Design Program consists of systems and solutions designed, tested, and documented to facilitate faster, more reliable, and more predictable customer deployments For more information visit www.cisco.com/go/validateddesigns ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO CCDE, CCENT, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc and/or its affiliates in the United States and certain other countries All other trademarks mentioned in this document or Website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0803R) Wireless and Network Security Integration Design Guide © 2008 Cisco Systems, Inc All rights reserved C O N T E N T S Preface i-i Document Organization CHAPTER Solution Overview i-i 1-1 Design Overview 1-1 Network Security 1-1 Solution Components 1-2 Cisco Unified Wireless Network 1-3 Cisco Security Agent (CSA) 1-3 Cisco NAC Appliance 1-4 Cisco Firewall 1-4 Cisco IPS 1-4 CS-MARS 1-5 CHAPTER Solution Architecture Introduction 2-1 2-1 Cisco Unified Wireless Network Secure Wireless Architecture Campus Architecture Branch Architecture CHAPTER 2-1 2-4 2-5 2-6 802.11 Security Summary 3-1 Regulation, Standards, and Industry Certifications 3-1 IEEE 3-1 IETF 3-1 Wi-Fi Alliance 3-2 Cisco Compatible Extensions 3-2 Federal Wireless Security Policy and FIPS Certification Federal Communications Commission 3-5 3-3 Base 802.11 Security Features 3-5 Terminology 3-6 802.11 Fundamentals 3-6 Wireless and Network Security Integration Design Guide OL-18316-01 i Contents 802.11 Beacons 3-7 802.11 Join Process (Association) 3-8 Probe Request and Probe Response 3-8 Authentication 3-9 Association 3-10 802.1X 3-11 Extensible Authentication Protocol 3-11 Authentication 3-12 Supplicants 3-13 Authenticator 3-14 Authentication Server 3-16 Encryption 3-17 4-Way Handshake 3-19 CHAPTER Cisco Unified Wireless Network Architecture— Base Security Features Cisco Unified Wireless Network Architecture LWAPP Features 4-1 4-3 4-3 Cisco Unified Wireless Security Features 4-4 Enhanced WLAN Security Options 4-4 Local EAP Authentication 4-6 ACL and Firewall Features 4-7 DHCP and ARP Protection 4-8 Peer-to-Peer Blocking 4-8 Wireless IDS 4-9 Mobility Services Engine 4-10 Adaptive Wireless IPS 4-11 Client Exclusion 4-12 Rogue AP 4-13 Air/RF Detection 4-14 Location 4-15 Wire Detection 4-16 Rogue AP Containment 4-16 Management Frame Protection 4-16 Client Management Frame Protection 4-18 WCS Security Features 4-19 Configuration Verification 4-19 Alarms 4-20 Architecture Integration 4-20 References 4-21 Wireless and Network Security Integration Design Guide ii OL-18316-01 Contents CHAPTER Wireless NAC Appliance Integration 5-1 Introduction 5-1 NAC Appliance and WLAN 802.1x/EAP 5-2 NAC Appliance Modes and Positioning within the Unified Wireless Network Modes of Operation 5-3 Out-of-Band Modes 5-3 In-Band Modes 5-4 In-Band Virtual Gateway 5-6 In-Band Real IP Gateway 5-6 Gateway Method to Use with Unified Wireless Deployments 5-7 NAC Appliance Positioning in Unified Wireless Deployments 5-7 Edge Deployments 5-7 Centralized Deployments 5-9 Summary 5-10 Cisco Clean Access Authentication in Unified Wireless Deployments Web Authentication 5-11 Clean Access Agent 5-11 Single Sign-On-VPN 5-11 Single Sign-On Active Directory 5-12 Posture Assessment and Remediation 5-14 Vulnerability Assessment and Remediation 5-3 5-10 5-16 Roaming Considerations 5-17 Layer Roaming with NAC Appliance 5-17 Layer Roaming with NAC Appliance—WLC Images 4.0 and Earlier 5-18 Layer Roaming with NAC Appliance—WLC Images 4.1 and Later 5-20 Roaming with NAC Appliance and AP Groups 5-21 Implementing NAC Appliance High Availability with Unified Wireless 5-22 High Availability NAC Appliance/WLC Building Block 5-23 WLC Connectivity 5-27 WLC Dynamic Interface VLANs 5-27 NAC Appliance Connectivity 5-27 NAC Management VLANs 5-27 NAC-Wireless User VLANs 5-27 Virtual Gateway Mode 5-27 Real IP Gateway Mode 5-27 Inter-Switch Connectivity 5-28 Inter-NAC Appliance Connectivity 5-28 Looped Topology Prevention—Virtual Gateway Mode 5-29 High Availability Failover Considerations 5-29 Wireless and Network Security Integration Design Guide OL-13990-01 iii Contents Implementing Non-Redundant NAC with Unified Wireless Implementing CAM High Availability Scaling Considerations 5-30 5-31 5-31 Integrated Wired/Wireless NAC Appliance Deployments NAC Appliance with Voice over WLAN Deployments Multilayer Switch Building Block Considerations Inter-Switch Trunk Configuration 5-33 VLAN Configuration 5-34 SVI Configuration 5-36 5-32 5-32 5-32 NAC Appliance Configuration Considerations 5-40 NAC Appliance Initial Configuration 5-40 NAC Appliance Switch Connectivity 5-41 NAC Appliance HA Server Configuration 5-42 Self-Signed Certificate for HA Deployment 5-45 Standalone WLAN Controller Deployment with NAC Appliance WLC Port and Interface Configuration 5-48 AP Manager Interfaces 5-49 WLAN Client Interfaces 5-50 Mapping WLANs to Untrusted WLC Interfaces 5-52 5-46 WiSM Deployment with NAC Appliance 5-53 WiSM Backplane Switch Connectivity 5-53 WiSM Interface Configuration 5-57 WiSM WLAN Interface Assignment 5-57 Clean Access Manager/NAC Appliance Configuration Guidelines 5-57 Adding an HA NAC Pair to the CAM 5-57 Adding a Single NAC Appliance to the CAM 5-59 Connecting the Untrusted Interfaces (HA Configuration) 5-59 Adding Managed Networks 5-59 VLAN Mapping 5-61 DHCP Pass-through 5-62 Enabling Wireless Single Sign-On 5-62 Configuring Authentication for Wireless VPN SSO 5-63 Radius Proxy Accounting (Optional) 5-64 WLAN Controller—Configuring RADIUS Accounting for Wireless VPN SSO Configuring Authentication for Wireless Active Directory SSO 5-67 Creating a Wireless User Role 5-70 Defining an Authentication Server for Wireless Users Role 5-73 Defining User Pages 5-75 Configure Clean Access Method and Policies 5-79 5-65 Wireless and Network Security Integration Design Guide iv OL-18316-01 Contents End User Example—Wireless Single Sign-On 5-81 Branch Deployments and NAC Network Module (NME) High Availability Considerations 5-88 Branch NAC and SSO 5-89 WLCM and the NAC-NME 5-90 H-REAP and NAC-NME 5-91 CHAPTER Secure Wireless Firewall Integration 5-88 6-1 Role of the Firewall 6-1 Alternatives to an Access Edge Firewall 6-3 Protection against Viruses and Worms 6-3 Applying Guest Access Policies 6-3 Firewall Integration 6-4 FWSM, ASA, and IOS Firewall 6-4 FWSM and ASA Modes of Operation Routed versus Transparent 6-5 Single or Multiple Context 6-7 Basic Topology 6-8 6-5 Example Scenario 6-11 Department Partitioning 6-11 ACS RADIUS Configuration 6-12 WLC Configuration 6-14 FWSM or ASA Configuration 6-17 FWSM Configuration 6-19 ASA Configuration 6-30 ASA and Security Contexts 6-30 ASA CLI Context Configuration 6-30 ASA Admin Context Configuration 6-32 Service Groups and Windows Domain Authentication Service Group Configuration 6-34 High Availability 6-38 Spanning Tree and BPDUs 6-40 WLAN Client Roaming and Firewall State 6-33 6-40 Layer and Layer Roaming 6-42 Architectural Impact of Symmetric Layer 6-46 Configuration Changes for Symmetric Layer Roaming Layer Roaming is Not Mobile IP 6-48 Combining NAC and a Firewall 6-49 Branch WLC Deployments and IOS Firewall 6-50 6-48 Wireless and Network Security Integration Design Guide OL-13990-01 v Contents SDM 6-50 General IOS Firewall Inspect Statement Basic Policy 6-51 Open Access Policy 6-52 H-REAP 6-53 WLCM 6-53 High Availability 6-53 Software Versions in Testing CHAPTER 6-53 CSA for Mobile Client Security CSA Overview 6-51 7-1 7-1 CSA Solution Components 7-2 CSA for Mobile Client Security Overview 7-2 CSA for General Client Protection 7-2 CSA for Mobile Client Protection 7-3 CSA and Complementary Cisco Security Features 7-5 Wireless Ad-hoc Connections 7-5 Simultaneous Wired and Wireless Connections 7-6 CSA Integration with the Cisco Unified Wireless Network 7-6 Wireless Ad-Hoc Connections 7-7 Wireless Ad-hoc Networks Security Concerns 7-8 CSA Wireless Ad-Hoc Connections Pre-Defined Rule Module Pre-Defined Rule Module Operation 7-9 Pre-Defined Rule Module Configuration 7-10 Pre-Defined Rule Module Logging 7-12 Wireless Ad-Hoc Rule Customization 7-13 7-9 Simultaneous Wired and Wireless Connections 7-14 Simultaneous Wired and Wireless Connections Security Concerns 7-14 CSA Simultaneous Wired and Wireless Connections Pre-Defined Rule Module Pre-Defined Rule Module Operation 7-15 Pre-Defined Rule Module Configuration 7-16 Pre-Defined Rule Module Logging 7-20 Simultaneous Wired and Wireless Rule Customization 7-21 Location-Aware Policy Enforcement 7-22 Mobile Client Security Threat Exposure 7-23 CSA Location-Aware Policy Enforcement 7-24 Location-Aware Policy Enforcement Operation 7-24 Location-Aware Policy Enforcement Configuration 7-24 General Location-Aware Policy Enforcement Configuration Notes 7-15 7-30 Wireless and Network Security Integration Design Guide vi OL-18316-01 Contents CSA Force VPN When Roaming Pre-Defined Rule Module Pre-Defined Rule Module Operation 7-31 Pre-Defined Rule Module Configuration 7-32 7-31 Upstream QoS Marking Policy Enforcement 7-36 Benefits of Upstream QoS Marking 7-37 Benefits of Upstream QoS Marking on a WLAN 7-38 Challenges of Upstream QoS Marking on a WLAN 7-38 CSA Trusted QoS Marking 7-38 Benefits of CSA Trusted QoS Marking on a WLAN Client 7-40 Basic Guidelines for Deploying CSA Trusted QoS Marking 7-40 CSA Wireless Security Policy Reporting 7-40 CSA Management Center Reports 7-40 Third-Party Integration 7-43 General Guidelines for CSA Mobile Client Security 7-44 Additional Information 7-44 CSA Pre-Defined Rule Module Operational Considerations 7-44 Wireless Ad-Hoc Connections 7-44 Simultaneous Wired and Wireless Connections 7-45 Force VPN When Roaming 7-46 Sample Development of a Customized Rule Module 7-47 Sample Customized Rule Module Operation 7-47 Sample Customized Rule Module Definition 7-49 Sample Customized Rule Module Logging 7-55 Test Bed Hardware and Software 7-56 Reference Documents 7-56 Cisco Security Agent (CSA) 7-56 Cisco Secure Services Client (CSSC) 7-57 Cisco Unified Wireless 7-57 CS MARS 7-57 Wireless Ad-hoc Vulnerability 7-57 CHAPTER Cisco Wireless and Network IDS/IPS Integration 8-1 Roles of Wireless and Network IDS/IPS in WLAN Security 8-1 Complementary Roles of Wireless and Network IDS/IPS 8-1 Collaborative Role of Cisco WLC and Cisco IPS 8-4 How Cisco WLC and IPS Collaboration Works 8-5 Cisco WLC and IPS Synchronization 8-5 WLC Enforcement of a Cisco IPS Host Block 8-6 Cisco IPS Host Block Retraction 8-8 Wireless and Network Security Integration Design Guide OL-13990-01 vii Contents Cisco Unified Wireless and IPS Integration 8-8 IPS Deployment and Integration 8-9 Enabling Cisco WLC and Cisco IPS Collaboration 8-10 Enabling Cisco WLC and IPS Collaboration Monitoring 8-15 Enabling WLC Local Logging of WLAN Client Block Events 8-15 Enabling SNMP Traps for WLAN Client Block Events 8-16 Enabling WCS Cross-WLC Monitoring of WLAN Events 8-18 Enabling CS-MARS Monitoring of WLAN Events 8-23 Cisco IPS Host Block Activation and WLC Enforcement 8-24 Monitoring Cisco WLC and IPS Collaboration 8-29 Verifying Cisco WLC and IPS Communication Status 8-29 WLC GUI 8-29 WLC CLI 8-30 IDM GUI 8-31 IPS CLI 8-33 Viewing WLAN Client Block Events 8-34 WLC Local Logging of WLAN Client Block Events 8-34 SNMP Reporting of WLAN Client Block Events 8-35 IPS Events Related to Host Block Events 8-37 WLC CLI Reporting of WLAN Client Block Events 8-40 IPS CLI Reporting of WLAN Client Block Events 8-41 Viewing Excluded Clients 8-42 WCS Cross-WLC Monitoring of WLAN Client Block Events 8-43 Consolidated Shunned Clients List 8-43 Consolidated Excluded Client Events List 8-45 General Guidelines for Cisco Wireless and Network IDS/IPS Integration Additional Information 8-48 Cisco WLC and IPS Collaboration Operational Details Cisco IPS Deployment Modes 8-49 Cisco IPS Block versus Deny Actions 8-49 Cisco IPS and WLC Integration Dependencies 8-50 Test Bed Hardware and Software 8-50 Reference Documents 8-51 Cisco IPS 8-51 Cisco Security Portfolio 8-51 Cisco Unified Wireless 8-51 General Network Security 8-51 8-47 8-48 Wireless and Network Security Integration Design Guide viii OL-18316-01 Chapter CS-MARS Integration for Cisco Unified Wireless CS-MARS for Cisco Unified Wireless Features Figure 9-15 CS-MARS Rule Rogue WLAN AP Detected Queries and Reports Featuring WLAN Events CS-MARS features WLAN-specific queries and reports, including: • WLAN DoS Attacks Detected • WLAN Probes Detected • WLAN Rogue AP or Adhoc Hosts Detected • WLAN Successful Mitigations WLAN events are also integrated into existing queries and reports, as appropriate, for example: • Network Attacks and DoS • Reconnaissance • Operational Issue Wireless and Network Security Integration Design Guide 9-16 OL-18316-01 Chapter CS-MARS Integration for Cisco Unified Wireless CS-MARS for Cisco Unified Wireless Features Running a Query on WLAN Events To run a query on particular WLAN-specific events: Step Navigate to QUERY/REPORTS Step From the drop-down box Select Report…, select the desired WLAN-specific report If you know which Report Group a report belongs to, you can filter the list by selecting the appropriate Report Group in the drop-down box Select Group… (see Figure 9-16) Figure 9-16 CS-MARS WLAN-Specific Reports Ensure the query timeframe is as required (shown here for the last one hour interval) and click Submit Inline (see Figure 9-17) Wireless and Network Security Integration Design Guide OL-18316-01 9-17 Chapter CS-MARS Integration for Cisco Unified Wireless CS-MARS for Cisco Unified Wireless Features Figure 9-17 Sample CS-MARS Rogue WLAN AP Report Generating a Report on WLAN Events Events that have been correlated into event sets can be expanded to view the individual events and their associated raw message To generate a report on particular WLAN-specific events: Step Navigate to QUERY/REPORTS -> Report Step From the drop-down box Group Report Groups -, select, the desired Report Group (see Figure 9-18) Wireless and Network Security Integration Design Guide 9-18 OL-18316-01 Chapter CS-MARS Integration for Cisco Unified Wireless CS-MARS for Cisco Unified Wireless Features Figure 9-18 Selecting a CS-MARS Report by Report Group The reports available within that Report Group are then displayed (see Figure 9-19) Wireless and Network Security Integration Design Guide OL-18316-01 9-19 Chapter CS-MARS Integration for Cisco Unified Wireless CS-MARS for Cisco Unified Wireless Features Figure 9-19 Step CS-MARS Network Attacks and DoS Report Group Select the report of interest and, unless the report was recently generated, click Resubmit To view the newly generated report, click View Report (see Figure 9-20) Wireless and Network Security Integration Design Guide 9-20 OL-18316-01 Chapter CS-MARS Integration for Cisco Unified Wireless CS-MARS for Cisco Unified Wireless Features Figure 9-20 Generating and Viewing a CS-MARS Report The report is then displayed (see Figure 9-21) Wireless and Network Security Integration Design Guide OL-18316-01 9-21 Chapter CS-MARS Integration for Cisco Unified Wireless General Guidelines for CS-MARS Integration for Cisco Unified Wireless Figure 9-21 Sample CS-MARS WLAN Rogue AP Report General Guidelines for CS-MARS Integration for Cisco Unified Wireless General guidelines for extending CS-MARS monitoring to the Cisco Unified Wireless Network include the following: • Enable CS-MARS monitoring of the Cisco Unified Wireless Network to provide cross-network visibility • Ensure access point MAC addresses are unique • Consider developing custom rules that use the rich set of WLAN events to further extend CS-MARS capabilities • Use WCS for detailed analysis and investigation of WLAN events Wireless and Network Security Integration Design Guide 9-22 OL-18316-01 Chapter CS-MARS Integration for Cisco Unified Wireless Additional Information Additional Information CS-MARS for Cisco Unified Wireless Operational Considerations This section outlines some operational considerations when extending CS-MARS cross-network anomaly detection and correlation to the Cisco Unified Wireless Network • The reporting device for Cisco Unified Wireless events is the name of the WLC or AP that generated the event • The WLC and AP often only identify and report WLAN anomalies based on the MAC address of the device generating the anomaly Related information, such as source and destination IP address, port, or protocol are typically not reported If this is the case, CS-MARS displays the WLAN event with a source and destination IP address of 0.0.0.0, a source and destination port of 0, and a protocol of N/A The MAC address of the device identified as the source of the anomaly is available in the raw message • CS-MARS does not currently perform event classification or correlation based on the MAC address of the device generating a WLAN anomaly For detailed WLAN-specific event anomaly detection and correlation, the Cisco WLC and Wireless Control System (WCS) can be leveraged to enable further investigation of anomalies identified by CS-MARS • CS-MARS false positive tuning is performed based on source or destination IP address Since many WLAN anomalies, such as rogue AP reporting, not have a client source or destination IP address, this is not currently possible However, extensive rogue device classification capabilities were introduced in Cisco Unified Wireless Release 5.0 and these should be leveraged to aid incident investigation For more details on this feature, refer to Reference Documents, page 9-25 • A custom parser can be used to extend CS-MARS native parsing of WLAN events, for example, to use the WLAN anomaly source MAC address For more details on this CS-MARS capability, refer to Reference Documents, page 9-25 • CS-MARS currently only supports SNMP v1, which passes all data in clear text, including the community strings, and is thus vulnerable to sniffing It is recommended that customers review their security policy to determine if additional security techniques, such as IPSec or an out-of-band (OOB) management network, are required to protect SNMP v1 transactions General best practices include the use of strong, non-trivial community strings, removing default community strings, restricting access to authorized originators only, and granting only read-only access For more information on securing SNMP access, refer to the Network Security Baseline document in General Network Security, page 9-25 CS-MARS WLAN AP Event Parsing In order for CS-MARS to discover and parse events from Cisco LWAPP access points, the Cisco WLC must first be defined as a reporting device in CS-MARS The steps required to define a Cisco WLC as a reporting device in CS-MARS are outlined in detail earlier in this chapter The WLC receives events from the APs that it monitors and then forwards these events as SNMP traps The source IP address of the trap is always the WLC However, if an AP generated the original event, the MAC address of the AP is embedded in the SNMP trap as an OID (object identifier) CS-MARS parses these SNMP traps in order to accurately identify the reporting device Wireless and Network Security Integration Design Guide OL-18316-01 9-23 Chapter CS-MARS Integration for Cisco Unified Wireless Additional Information When CS-MARS receives an SNMP trap from a WLC that includes the MAC address of an AP as the event originator, the manner in which the event is parsed depends upon whether CS-MARS has an AP with a matching MAC address already defined or not: • If the AP MAC address is known, CS-MARS presents the AP device name as the reporting device • If the AP MAC address is unknown, CS-MARS presents this first event with the WLC device name as the reporting device and also, automatically, defines the AP as a child agent of the WLC sending the trap Subsequent events are thus accurately attributed to the AP as the reporting device, since it is defined as a device and identifiable based on its MAC address This progressive, automatic discovery of new, undefined, or previously undiscovered APs eliminates the need for manual definition Note Progressive auto-discovery of the access points requires SNMPv1 read access to be enabled on the WLC For information on configuring the WLC, refer to Configuring the Cisco WLC, page 9-3 If an AP MAC address is unknown and automatic discovery fails, the event is attributed to the WLC WLC SNMP traps that not include AP MAC address information are attributed to the WLC as the reporting device CS-MARS Integration for Cisco Unified Wireless Dependencies CS-MARS and Cisco WLC integration is dependent upon the software and hardware platforms shown in Table 9-3 Table 9-3 CS-MARS and Cisco WLC Integration Dependencies Component Minimum Software Additional Information CS-MARS Release 5.3.2 or later Release 6.0 supports both Gen1 and Gen2 hardware Release 5.3.2 supports Gen2 hardware (110 and 210) only Cisco WLC Cisco Unified Wireless Release 4.x or later LWAPP APs only LWAPP AP Test Bed Hardware and Software Integration testing was performed and verified using the CS-MARS and WLC platforms and software releases shown in Table 9-4 Table 9-4 Test Bed Hardware and Software Component Hardware Software CS-MARS MARS 210 5.3.5 (2934) WLC WLC 2106 5.0.148.2 Wireless Services Module (WiSM) in Cisco Catalyst 6500 Series 5.0.148.2 Wireless and Network Security Integration Design Guide 9-24 OL-18316-01 Chapter CS-MARS Integration for Cisco Unified Wireless Additional Information Reference Documents Cisco Unified Wireless • Cisco Wireless http://www.cisco.com/en/US/products/hw/wireless/index.html • Cisco Wireless Control System (WCS) http://www.cisco.com/en/US/products/ps6305/index.html • Managing Rogue Devices Cisco Wireless LAN Controller Configuration Guide, Release 5.0 http://www.cisco.com/en/US/docs/wireless/controller/5.0/configuration/guide/c5sol.html#wp1345 692 CS-MARS • CS-MARS http://www.cisco.com/en/US/products/ps6241/tsd_products_support_series_home.html • Configuring Wireless LAN Devices User Guide for Cisco Security MARS Local Controller, Release 5.3.x http://www.cisco.com/en/US/docs/security/security_management/cs-mars/5.3/user/guide/local_co ntroller/cfgwlan.html • Configuring Custom Devices User Guide for Cisco Security MARS Local Controller, Release 5.3.x http://www.cisco.com/en/US/docs/security/security_management/cs-mars/5.3/user/guide/local_co ntroller/cfgcustm.html User Guide for Cisco Security MARS Local and Global Controllers, Release 6.x http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cf gCustm.html General Network Security • Network Security Baseline http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/securebaseboo k.html Wireless and Network Security Integration Design Guide OL-18316-01 9-25 Chapter CS-MARS Integration for Cisco Unified Wireless Additional Information Wireless and Network Security Integration Design Guide 9-26 OL-18316-01 G L OS S A RY A AAA Authentication, Authorization, and Accounting ACS Cisco Access Control Server AES Advanced Encryption Standard AP Access point B BSSID Basic service set identifier C CAM Clean Access Manager CCMP Counter Mode with Cipher Block Chaining Message Authentication Code Protocol CCX Cisco Compatible Extensions CSA Cisco Security Agent CSSC Cisco Secure Services Client D DoS Denial of service E EAP Extensible Authentication Protocol EAP-FAST EAP-Flexible Authentication via Secured Tunnel EAP-TLS EAP-Transport Layer Security Wireless and Network Security Integration Design Guide OL-18316-01 GL-1 Glossary F Firewall Services Module FWSM I IDS Intrusion detection system IPS Intrusion prevention system L LAP LWAPP Access Point LWAPP Lightweight Access Point Protocol M MAP Mesh AP MFP Management frame protection MIC Message integrity check N Network Admission Control NAC P PEAP GTC Protected EAP Generic Token Card PEAP MSCHAP Protected EAP Microsoft Challenge Handshake Authentication Protocol PKI Public Key Infrastructure R RADIUS Remote Authentication Dial-In User Service RF Radio frequency Wireless and Network Security Integration Design Guide GL-2 OL-18316-01 Glossary RLDP Rogue Location Discovery Protocol RSSI Received signal strength indication S SNR Signal-to-noise ratio SSID IEEE Extended Service Set Identifier SSO Single sign-on SVI Switched virtual interfaces T TKIP Temporal Key Integrity Protocol TLS Transport Layer Security W WCS Wireless Control System WEP Wired Equivalent Privacy Wi-Fi Wi-Fi is the brand of the Wi-Fi Alliance, which certifies interoperability of products and services based on IEEE 802.11 technology WiSM Wireless Services Module WLAN Wireless LAN WLC Wireless LAN Controller WLCM Wireless LAN Controller Module WLSM Wireless LAN Services Module WMM Wi-Fi Multimedia WPA Wi-Fi Protected Access Wireless and Network Security Integration Design Guide OL-18316-01 GL-3 Glossary Wireless and Network Security Integration Design Guide GL-4 OL-18316-01 ... Lists and defines key terms used in the guide Wireless and Network Security Integration Design Guide OL-18316-01 i Preface Document Organization Wireless and Network Security Integration Design Guide. .. Network Security 9-25 GLOSSARY Wireless and Network Security Integration Design Guide OL-13990-01 ix Contents Wireless and Network Security Integration Design Guide x OL-18316-01 Preface The purpose... response and compliance regulations Wireless and Network Security Integration Design Guide OL-18316-01 1-5 Chapter Solution Overview Solution Components Wireless and Network Security Integration Design